Openiddict 内省不起作用(访问令牌无效。)
Openiddict introspect not working (The access token is not valid.)
我有 3 个项目 1- SPA,2- Web API 项目,3- Identity(使用 openiddict 设置,ASP.NET Core 2.0(OpenIddict.dll 版本 2.0.0.- rc2-0854) 与 EF 核心。
API 和 Identity Server 运行 成功,可以获得 jwt 令牌但是,当我尝试从具有授权属性的 API 方法获取值时,我得到一个错误:
WWW-Authenticate →Bearer error="invalid_token", error_description="The access token is not valid."
在 Application Insights 中,可以看到 POST /connect/introspect 被调用,结果依赖结果 code:500 和依赖代码:Http
相同的代码以前工作过,不确定哪些更改会破坏内省。
API 项目中的配置
services.AddAuthentication(options =>
{
options.DefaultScheme = OAuthIntrospectionDefaults.AuthenticationScheme;
})
.AddOAuthIntrospection(options =>
{
options.Authority = new Uri("http://localhost:49888");
options.ClientId = "my-resource-server";
options.ClientSecret = "ClientSecret";
options.RequireHttpsMetadata = false;
});
services.AddCors();
services.AddMvc()
.AddJsonOptions(options =>
{
options.SerializerSettings.Formatting = Formatting.None;
});
授权方法
[HttpGet("GetData/{Id}")]
[Authorize(AuthenticationSchemes = OAuthIntrospectionDefaults.AuthenticationScheme)]
[Authorize(Roles = "Admin")]
public IActionResult GetData(int courseId)
{
}
connect/introspect 在身份项目中
private async Task<AuthenticationTicket> CreateTicketAsync(OpenIdConnectRequest request, UserInfo user)
{
UserInfo userInfo = await _userRepository.GetUserByCredentials(request.Username, request.Password);
if (userInfo == null)
{
return null;
}
// Create a new ClaimsIdentity holding the user identity.
var identity = new ClaimsIdentity(
OpenIdConnectServerDefaults.AuthenticationScheme,
OpenIdConnectConstants.Claims.Name,
OpenIdConnectConstants.Claims.Role
);
// Add a "sub" claim containing the user identifier, and attach
// the "access_token" destination to allow OpenIddict to store it
// in the access token, so it can be retrieved from your controllers.
identity.AddClaim(OpenIdConnectConstants.Claims.Subject,
user.UserId.ToString(),
OpenIdConnectConstants.Destinations.AccessToken);
identity.AddClaim(OpenIdConnectConstants.Claims.Name, user.Name,
OpenIdConnectConstants.Destinations.AccessToken);
identity.AddClaim(OpenIdConnectConstants.Claims.Role, user.Role,
OpenIdConnectConstants.Destinations.AccessToken);
// ... add other claims, if necessary.
var principal = new ClaimsPrincipal(identity);
// Create a new authentication ticket holding the user identity.
var ticket = new AuthenticationTicket(principal,
new Microsoft.AspNetCore.Authentication.AuthenticationProperties(),
OpenIdConnectServerDefaults.AuthenticationScheme);
。
.
从 RC2 开始,OpenIddict 可以正式用于 third-party 应用程序(即您不拥有的客户端)。因此,我们不能再假设所有注册的应用程序都是合法的并且可以自由反省令牌。
为了明确说明,您现在必须指定能够内省令牌的客户端标识符列表。为此,在创建工单时添加以下代码:
var ticket = new AuthenticationTicket(
new ClaimsPrincipal(identity),
new AuthenticationProperties(),
OpenIdConnectServerDefaults.AuthenticationScheme);
ticket.SetResources("tracking_api", "marketing_api");
资源必须与使用内省处理程序分配给您的资源服务器的 client_id 完全匹配:
services.AddAuthentication()
.AddOAuthIntrospection(options =>
{
options.Authority = new Uri("http://localhost:12345/");
options.ClientId = "marketing_api";
options.ClientSecret = "846B62D0-DEF9-4215-A99D-86E6B8DAB342";
options.RequireHttpsMetadata = false;
});
我有 3 个项目 1- SPA,2- Web API 项目,3- Identity(使用 openiddict 设置,ASP.NET Core 2.0(OpenIddict.dll 版本 2.0.0.- rc2-0854) 与 EF 核心。
API 和 Identity Server 运行 成功,可以获得 jwt 令牌但是,当我尝试从具有授权属性的 API 方法获取值时,我得到一个错误:
WWW-Authenticate →Bearer error="invalid_token", error_description="The access token is not valid."
在 Application Insights 中,可以看到 POST /connect/introspect 被调用,结果依赖结果 code:500 和依赖代码:Http
相同的代码以前工作过,不确定哪些更改会破坏内省。
API 项目中的配置
services.AddAuthentication(options =>
{
options.DefaultScheme = OAuthIntrospectionDefaults.AuthenticationScheme;
})
.AddOAuthIntrospection(options =>
{
options.Authority = new Uri("http://localhost:49888");
options.ClientId = "my-resource-server";
options.ClientSecret = "ClientSecret";
options.RequireHttpsMetadata = false;
});
services.AddCors();
services.AddMvc()
.AddJsonOptions(options =>
{
options.SerializerSettings.Formatting = Formatting.None;
});
授权方法
[HttpGet("GetData/{Id}")]
[Authorize(AuthenticationSchemes = OAuthIntrospectionDefaults.AuthenticationScheme)]
[Authorize(Roles = "Admin")]
public IActionResult GetData(int courseId)
{
}
connect/introspect 在身份项目中
private async Task<AuthenticationTicket> CreateTicketAsync(OpenIdConnectRequest request, UserInfo user)
{
UserInfo userInfo = await _userRepository.GetUserByCredentials(request.Username, request.Password);
if (userInfo == null)
{
return null;
}
// Create a new ClaimsIdentity holding the user identity.
var identity = new ClaimsIdentity(
OpenIdConnectServerDefaults.AuthenticationScheme,
OpenIdConnectConstants.Claims.Name,
OpenIdConnectConstants.Claims.Role
);
// Add a "sub" claim containing the user identifier, and attach
// the "access_token" destination to allow OpenIddict to store it
// in the access token, so it can be retrieved from your controllers.
identity.AddClaim(OpenIdConnectConstants.Claims.Subject,
user.UserId.ToString(),
OpenIdConnectConstants.Destinations.AccessToken);
identity.AddClaim(OpenIdConnectConstants.Claims.Name, user.Name,
OpenIdConnectConstants.Destinations.AccessToken);
identity.AddClaim(OpenIdConnectConstants.Claims.Role, user.Role,
OpenIdConnectConstants.Destinations.AccessToken);
// ... add other claims, if necessary.
var principal = new ClaimsPrincipal(identity);
// Create a new authentication ticket holding the user identity.
var ticket = new AuthenticationTicket(principal,
new Microsoft.AspNetCore.Authentication.AuthenticationProperties(),
OpenIdConnectServerDefaults.AuthenticationScheme);
。 .
从 RC2 开始,OpenIddict 可以正式用于 third-party 应用程序(即您不拥有的客户端)。因此,我们不能再假设所有注册的应用程序都是合法的并且可以自由反省令牌。
为了明确说明,您现在必须指定能够内省令牌的客户端标识符列表。为此,在创建工单时添加以下代码:
var ticket = new AuthenticationTicket(
new ClaimsPrincipal(identity),
new AuthenticationProperties(),
OpenIdConnectServerDefaults.AuthenticationScheme);
ticket.SetResources("tracking_api", "marketing_api");
资源必须与使用内省处理程序分配给您的资源服务器的 client_id 完全匹配:
services.AddAuthentication()
.AddOAuthIntrospection(options =>
{
options.Authority = new Uri("http://localhost:12345/");
options.ClientId = "marketing_api";
options.ClientSecret = "846B62D0-DEF9-4215-A99D-86E6B8DAB342";
options.RequireHttpsMetadata = false;
});